queue-3.16/f2fs-set-owner-for-debugfs-status-file-s-file_operations.patch - pub/scm/linux/kernel/git/bwh/linux-stable-queue - Git at Google

 From: Nicolai Stange <nicstange@gmail.com>
 Date: Sun, 20 Nov 2016 19:57:23 +0100
 Subject: f2fs: set ->owner for debugfs status file's file_operations

 commit 05e6ea2685c964db1e675a24a4f4e2adc22d2388 upstream.

 The struct file_operations instance serving the f2fs/status debugfs file
 lacks an initialization of its ->owner.

 This means that although that file might have been opened, the f2fs module
 can still get removed. Any further operation on that opened file, releasing
 included,  will cause accesses to unmapped memory.

 Indeed, Mike Marshall reported the following:

   BUG: unable to handle kernel paging request at ffffffffa0307430
   IP: [<ffffffff8132a224>] full_proxy_release+0x24/0x90
   <...>
   Call Trace:
    [] __fput+0xdf/0x1d0
    [] ____fput+0xe/0x10
    [] task_work_run+0x8e/0xc0
    [] do_exit+0x2ae/0xae0
    [] ? __audit_syscall_entry+0xae/0x100
    [] ? syscall_trace_enter+0x1ca/0x310
    [] do_group_exit+0x44/0xc0
    [] SyS_exit_group+0x14/0x20
    [] do_syscall_64+0x61/0x150
    [] entry_SYSCALL64_slow_path+0x25/0x25
   <...>
   ---[ end trace f22ae883fa3ea6b8 ]---
   Fixing recursive fault but reboot is needed!

 Fix this by initializing the f2fs/status file_operations' ->owner with
 THIS_MODULE.

 This will allow debugfs to grab a reference to the f2fs module upon any
 open on that file, thus preventing it from getting removed.

 Fixes: 902829aa0b72 ("f2fs: move proc files to debugfs")
 Reported-by: Mike Marshall <hubcap@omnibond.com>
 Reported-by: Martin Brandenburg <martin@omnibond.com>
 Signed-off-by: Nicolai Stange <nicstange@gmail.com>
 Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  fs/f2fs/debug.c | 1 +
  1 file changed, 1 insertion(+)

 --- a/fs/f2fs/debug.c
 +++ b/fs/f2fs/debug.c
 @@ -295,6 +295,7 @@ static int stat_open(struct inode *inode
  }

  static const struct file_operations stat_fops = {
 +	.owner = THIS_MODULE,
  	.open = stat_open,
  	.read = seq_read,
  	.llseek = seq_lseek,
	From: Nicolai Stange <nicstange@gmail.com>
	Date: Sun, 20 Nov 2016 19:57:23 +0100
	Subject: f2fs: set ->owner for debugfs status file's file_operations

	commit 05e6ea2685c964db1e675a24a4f4e2adc22d2388 upstream.

	The struct file_operations instance serving the f2fs/status debugfs file
	lacks an initialization of its ->owner.

	This means that although that file might have been opened, the f2fs module
	can still get removed. Any further operation on that opened file, releasing
	included, will cause accesses to unmapped memory.

	Indeed, Mike Marshall reported the following:

	BUG: unable to handle kernel paging request at ffffffffa0307430
	IP: [<ffffffff8132a224>] full_proxy_release+0x24/0x90
	<...>
	Call Trace:
	[] __fput+0xdf/0x1d0
	[] ____fput+0xe/0x10
	[] task_work_run+0x8e/0xc0
	[] do_exit+0x2ae/0xae0
	[] ? __audit_syscall_entry+0xae/0x100
	[] ? syscall_trace_enter+0x1ca/0x310
	[] do_group_exit+0x44/0xc0
	[] SyS_exit_group+0x14/0x20
	[] do_syscall_64+0x61/0x150
	[] entry_SYSCALL64_slow_path+0x25/0x25
	<...>
	---[ end trace f22ae883fa3ea6b8 ]---
	Fixing recursive fault but reboot is needed!

	Fix this by initializing the f2fs/status file_operations' ->owner with
	THIS_MODULE.

	This will allow debugfs to grab a reference to the f2fs module upon any
	open on that file, thus preventing it from getting removed.

	Fixes: 902829aa0b72 ("f2fs: move proc files to debugfs")
	Reported-by: Mike Marshall <hubcap@omnibond.com>
	Reported-by: Martin Brandenburg <martin@omnibond.com>
	Signed-off-by: Nicolai Stange <nicstange@gmail.com>
	Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	---
	fs/f2fs/debug.c \| 1 +
	1 file changed, 1 insertion(+)

	--- a/fs/f2fs/debug.c
	+++ b/fs/f2fs/debug.c
	@@ -295,6 +295,7 @@ static int stat_open(struct inode *inode
	}

	static const struct file_operations stat_fops = {
	+ .owner = THIS_MODULE,
	.open = stat_open,
	.read = seq_read,
	.llseek = seq_lseek,